Field of the Invention
Embodiments of the present invention generally relate to the field of data security. In particular, embodiments of the present invention relate to a soft token system that can be used to generate One Time Passwords (OTPs) for two-factor authentication (2FA) for securing Virtual Private Network (VPN) logins, for example, among other use cases.
Description of the Related Art
With the rise of the Internet, most day-to-day activities are performed online. Various types of online activities include, for example, online transactions, accessing Wireless Local Area Networks (WLANs), email, Intranet, Virtual Private Networks (VPNs), and other network resources. Commonly, for each of the online activities, users need to provide credentials, such as a user name and password. For instance, users provide critical/sensitive information, such as bank account information, credit card information, debit card information, smart card information, usernames, passwords, Personal Identification Numbers (PINs) and so forth, while performing online transactions. Such critical information is static in nature and therefore can be intercepted and used by unauthorized individuals. Also, weak passwords are easily susceptible to cracking. Additional threats to sensitive data accessed via online means include malware, viruses, spyware and keyloggers. Thus, there exists a need to provide/enhance security while performing an online activity.
One Time Password (OTP) solutions enable users to perform online activity securely and thus, have gained tremendous popularity over the past few years. An OTP is a type of password that is valid only for one login session or for a limited time. For example, an OTP may be regenerated each time a user desires to log into a website. OTP solutions prove identities more securely because the password for the user keeps changing. Usually, an OTP is based on randomness and is dynamic in nature. For instance, if an intruder steals an OTP value that was already used to conduct an online transaction, he or she will typically not be able to use it since it will be no longer valid. Due to the random nature of OTPs, a next OTP cannot easily be determined based on observations of previously generated OTPs. Thus, OTP solutions provide increased security to users while performing online activity.
Typically, an OTP is generated by hardware-based tokens or software-based tokens. These tokens act like an electronic key to access sensitive information. A hardware-based token is an electronic device carried by a user. The hardware-based token can be easily plugged into a user device and generates an OTP that can be viewed by the user. In contrast, software-based tokens for generating an OTP are typically in the form of an application running on a user's device. Software-based tokens are easy to use as users are not required to carry an additional hardware device.
There exist a number of solutions in the market offering token-based OTP solutions; however, there are many disadvantages associated with current solutions. One of the disadvantages of software-based tokens is that the solutions follow the approach of binding a token to a user device only at the time of importing the token seed from a server and such binding does not persist thereafter. Additionally, the token seed is generated on an external server, and thus, is exposed. Furthermore, prior solutions focus on manual effort to collect the device ID. For example, a user of the device must typically manually enter the device ID upon request into the token generating application on the server side. Alternatively, an administrator of the server side must manually collect the device ID from the device. Existing solutions further focus on administering the device ID from a central location like a server. Moreover, existing solutions fail to provide out-of-band authentication to users. Also, current solutions are not compatible with different types/versions of user devices. Known solutions are further limited to managing a fixed token size (e.g., 128-bit tokens). Additionally, existing solutions are limited in that they cannot be integrated with various platforms.